14 DAY TRIAL // In a recently observed campaign, cybercriminals distribute a new malware variant that still enjoys fairly limited detection from antivirus engines.
The malware is delivered via an email message that comes with an attachment claiming to be a legal document containing details about recent law modifications regarding fraudulent activity.
The message is signed with the name Pamela Adams, purporting to be a chief accountant. This suggests that the attackers are targeting businesses, not average users.
Better detection is still expected
Once launched, the malicious file drops two items on the computer, one being the Upatre downloader (gebadof.exe) and the other the Dyre banking Trojan (qppwkce.exe). The pair has become infamous in recent months and systems infected with one of them usually present evidence of the other.
At the time of the initial analysis on Wednesday, the samples were picked up by up to three of the security solutions available on VirusTotal.
Detection is currently improved, although not significantly, with one of the malware pieces being correctly flagged as a threat by 16 out of 55 products while the other is detected by only 9 engines.
Traffic analysis points to countries with C&C for Dyre
The malware was collected by Conrad Longmore from Dynamoo's Blog, who fed it to automated analysis tools. According to the results, traffic was recorded to IP addresses in the Czech Republic, the US, Ukraine, Serbia, Russia, and Slovakia.
In a recent analysis of Dyre activity, security researchers at Symantec found that the command and control (C&C) infrastructure of the malware extended to all of these countries for tasks ranging from simple communication with victims to pushing different payloads and modules.
Although it is delivered by Upatre, Dyre has been added functionality to funnel threats on its own. However, its main purpose is to hook to web browsers and collect sensitive online banking data such as credentials and additional security codes.